[ARVADOS] created: 8c8f989695aa8e2575cad1b983900c3ca6f58e31

git at public.curoverse.com git at public.curoverse.com
Sun Jan 17 20:28:49 EST 2016


        at  8c8f989695aa8e2575cad1b983900c3ca6f58e31 (commit)


commit 8c8f989695aa8e2575cad1b983900c3ca6f58e31
Author: Tom Clegg <tom at curoverse.com>
Date:   Sun Jan 17 20:28:41 2016 -0500

    7996: Add keep-web to install TOC and server/cert lists.

diff --git a/doc/_config.yml b/doc/_config.yml
index 2f37f5a..05b7437 100644
--- a/doc/_config.yml
+++ b/doc/_config.yml
@@ -155,7 +155,7 @@ navbar:
       - install/install-keepstore.html.textile.liquid
       - install/configure-azure-blob-storage.html.textile.liquid
       - install/install-keepproxy.html.textile.liquid
-      #- install/install-keep-web.html.textile.liquid
+      - install/install-keep-web.html.textile.liquid
       - install/install-crunch-dispatch.html.textile.liquid
       - install/install-compute-node.html.textile.liquid
     - Helpful hints:
diff --git a/doc/install/install-keep-web.html.textile.liquid b/doc/install/install-keep-web.html.textile.liquid
index 9e271d3..3da08b3 100644
--- a/doc/install/install-keep-web.html.textile.liquid
+++ b/doc/install/install-keep-web.html.textile.liquid
@@ -1,22 +1,25 @@
 ---
 layout: default
 navsection: installguide
-title: Install the keep-web server
+title: Install Keep-web server
 ...
 
-The keep-web server provides read-only HTTP access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides SSL support. See the "godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web for more detail.
+The Keep-web server provides read-only HTTP access to files stored in Keep. It serves public data to unauthenticated clients, and serves private data to clients that supply Arvados API tokens. It can be installed anywhere with access to Keep services, typically behind a web proxy that provides SSL support. See the "godoc page":http://godoc.org/github.com/curoverse/arvados/services/keep-web for more detail.
 
-By convention, we use the following hostnames for the keep-web service:
+By convention, we use the following hostnames for the Keep-web service:
 
 <notextile>
 <pre><code>download.<span class="userinput">uuid_prefix</span>.your.domain
 collections.<span class="userinput">uuid_prefix</span>.your.domain
+*.collections.<span class="userinput">uuid_prefix</span>.your.domain
 </code></pre>
 </notextile>
 
 The above hostnames should resolve from anywhere on the internet.
 
-h2. Install keep-web
+h2. Install Keep-web
+
+Typically Keep-web runs on the same host as Keepproxy, but a different host would work equally well.
 
 On Debian-based systems:
 
@@ -32,7 +35,7 @@ On Red Hat-based systems:
 </code></pre>
 </notextile>
 
-Verify that @keep-web@ is functional:
+Verify that @Keep-web@ is functional:
 
 <notextile>
 <pre><code>~$ <span class="userinput">keep-web -h</span>
@@ -52,7 +55,7 @@ Usage of keep-web:
 {% assign railsout = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" %}
 If you intend to use Keep-web to serve public data to anonymous clients, configure it with an anonymous token. You can use the same one you used when you set up your Keepproxy server, or use the following command on the <strong>API server</strong> to create another. {% include 'install_rails_command' %}
 
-We recommend running @keep-web@ under "runit":https://packages.debian.org/search?keywords=runit or a similar supervisor. The basic command to start @keep-web@ is:
+We recommend running Keep-web under "runit":https://packages.debian.org/search?keywords=runit or a similar supervisor. The basic command to start Keep-web is:
 
 <notextile>
 <pre><code>export ARVADOS_API_HOST=<span class="userinput">uuid_prefix</span>.your.domain
@@ -71,11 +74,11 @@ Set @ARVADOS_API_HOST_INSECURE=1@ if your API server's SSL certificate is not si
 
 h3. Set up a reverse proxy with SSL support
 
-The keep-web service will be accessible from anywhere on the internet, so we recommend using SSL for transport encryption.
+The Keep-web service will be accessible from anywhere on the internet, so we recommend using SSL for transport encryption.
 
-This is best achieved by putting a reverse proxy with SSL support in front of keep-web, running on port 443 and passing requests to keep-web on port 9002 (or whatever port you chose in your run script).
+This is best achieved by putting a reverse proxy with SSL support in front of Keep-web, running on port 443 and passing requests to Keep-web on port 9002 (or whatever port you chose in your run script).
 
-Note: A wildcard SSL certificate is required in order to support a full-featured secure keep-web service. Without it, keep-web can offer file downloads for all Keep data; however, in order to avoid cross-site scripting vulnerabilities, keep-web refuses to serve private data as web content except when it is accessed using a "secret link" share. With a wildcard SSL certificate and DNS configured appropriately, all data can be served as web content.
+Note: A wildcard SSL certificate is required in order to support a full-featured secure Keep-web service. Without it, Keep-web can offer file downloads for all Keep data; however, in order to avoid cross-site scripting vulnerabilities, Keep-web refuses to serve private data as web content except when it is accessed using a "secret link" share. With a wildcard SSL certificate and DNS configured appropriately, all data can be served as web content.
 
 For example, using Nginx:
 
@@ -116,9 +119,9 @@ Configure your DNS servers so the following names resolve to your Nginx proxy's
 
 If neither of the above wildcard options is feasible, only unauthenticated requests (public data and collection sharing links) will be served as web content at @collections.uuid_prefix.your.domain at . The @download@ name will be used to serve authenticated content, but only as file downloads.
 
-h3. Tell Workbench about the keep-web service
+h3. Tell Workbench about the Keep-web service
 
-Workbench has features like "download file from collection" and "show image" which work better if the content is served by keep-web rather than Workbench itself. We recommend using the two different hostnames ("download" and "collections" above) for file downloads and inline content respectively.
+Workbench has features like "download file from collection" and "show image" which work better if the content is served by Keep-web rather than Workbench itself. We recommend using the two different hostnames ("download" and "collections" above) for file downloads and inline content respectively.
 
 Add the following entry to your Workbench configuration file (@/etc/arvados/workbench/application.yml@). This URL will be used for file downloads.
 
diff --git a/doc/install/install-manual-prerequisites.html.textile.liquid b/doc/install/install-manual-prerequisites.html.textile.liquid
index a26370d..f0599d6 100644
--- a/doc/install/install-manual-prerequisites.html.textile.liquid
+++ b/doc/install/install-manual-prerequisites.html.textile.liquid
@@ -13,7 +13,7 @@ table(table table-bordered table-condensed).
 |_Function_|_Number of nodes_|
 |Arvados API, Crunch dispatcher, Git, Websockets and Workbench|1|
 |Arvados Compute node|1|
-|Arvados Keepproxy server|1|
+|Arvados Keepproxy and Keep-web server|1|
 |Arvados Keepstore servers|2|
 |Arvados Shell server|1|
 |Arvados SSO server|1|
@@ -90,12 +90,13 @@ There are six public-facing services that require an SSL certificate. If you do
 
 Most Arvados clients and services will accept self-signed certificates when the @ARVADOS_API_HOST_INSECURE@ environment variable is set to @true at .  However, web browsers generally do not make it easy for users to accept self-signed certificates from Web sites.
 
-Users who log in through Workbench will visit three sites: the SSO server, the API server, and Workbench itself.  When a browser visits each of these sites, it will warn the user if the site uses a self-signed certificate, and the user must accept it before continuing.  This procedure usually only needs to be done once in a browser.
+Users who log in through Workbench will visit at least three sites: the SSO server, the API server, and Workbench itself.  When a browser visits each of these sites, it will warn the user if the site uses a self-signed certificate, and the user must accept it before continuing.  This procedure usually only needs to be done once in a browser.
 
 After that's done, Workbench includes JavaScript clients for other Arvados services.  Users are usually not warned if these client connections are refused because the server uses a self-signed certificate, and it is especially difficult to accept those cerficiates:
 
 * JavaScript connects to the Websockets server to provide incremental page updates and view logs from running jobs.
 * JavaScript connects to the API and Keepproxy servers to upload local files to collections.
+* JavaScript connects to the Keep-web server to download log files.
 
 In sum, Workbench will be much less pleasant to use in a cluster that uses self-signed certificates.  You should avoid using self-signed certificates unless you plan to deploy a cluster without Workbench; you are deploying only to evaluate Arvados as an individual system administrator; or you can push configuration to users' browsers to trust your self-signed certificates.
 
@@ -109,6 +110,11 @@ table(table table-bordered table-condensed).
 |Arvados API|@uuid_prefix at .your.domain|
 |Arvados Git server|git. at uuid_prefix@.your.domain|
 |Arvados Keepproxy server|keep. at uuid_prefix@.your.domain|
+|Arvados Keep-web server|download. at uuid_prefix@.your.domain
+_and_
+*.collections. at uuid_prefix@.your.domain or
+*<notextile>--</notextile>collections. at uuid_prefix@.your.domain or
+collections. at uuid_prefix@.your.domain (see the "keep-web install docs":install-keep-web.html)|
 |Arvados SSO Server|auth.your.domain|
 |Arvados Websockets endpoint|ws. at uuid_prefix@.your.domain|
 |Arvados Workbench|workbench. at uuid_prefix@.your.domain|

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list